Windows 7 - Microsoft Blames Poor Development Practices For Security Risks

Microsoft Blames Poor Development Practices For Security Risks

Windows and Internet Explorer are at greater risk of attacks because developers don't use mitigation technologies built into the software, said Microsoft.

By Mathew J. Schwartz InformationWeek
March 31, 2011 12:52 PM

(click image for larger view)
Slideshow: 10 Massive Security Breaches

Too few applications and browser plug-ins are implementing attack-blocking security mechanisms built into Windows and Internet Explorer. Microsoft made that assertion in "The SDL Progress Report," released Wednesday, which details the evolution of the company's security development lifecycle, used internally, as well as the uptake of mitigation technologies that Microsoft makes available to developers.

Free Microsoft Security Toolkit (EMET 2.0) Bulletproofs Arbitrary Apps



As promised at the end of July 2010, when Microsoft announced the next iteration of a security toolkit designed to help customers bulletproof arbitrary applications, Enhanced Mitigation Experience Toolkit 2.0 is now available for download.

EMET 2.0 is obviously the successor of version 1.0 of the tool, but evolved, guaranteed to bring a little extra kick to customers’ security game.

When talking about the tool, the Redmond company always emphasized that the release is designed to enable users to easily add security mitigation technologies to arbitrary applications.

ISV adoption of mitigation technologies

Rate This

Michael Howard
Sep 21, 2010


Hi, Michael here,
Over the last few weeks, Matt Miller, Matt Thomlinson, John Lambert and I worked on a paper that describes the various buffer overrun defenses we offer in Windows Vista and later and Windows Server 2008 and later.
I’d like to introduce a guest SDL blogger, Matt Miller, a member of our Security Research and Defense team, who has written a great article that describes the rationale behind the paper.

Over to Matt…

On our Security Research and Defense blog we have previously described the security benefits of mitigation technologies like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR)[1,2]. These technologies and others like them (SEHOP, GS, etc) are designed to make it more difficult for attackers to reliably exploit software vulnerabilities. The growing prevalence of these technologies has contributed to increased interest from the security research community on the subject of developing new bypass techniques[3]. We value the research community’s findings in this area and are continuing to work on improving the effectiveness of our mitigation technologies. In the meantime, there are important steps that Independent Software Vendors (ISVs) must take to ensure that these mitigations are as effective as possible.

In practice, the effectiveness of mitigations like DEP and ASLR is heavily dependent on how completely each mitigation technology has been enabled by an application. Failing to completely enable a mitigation technology leaves low-hanging fruit that an attacker can use to their advantage when developing an exploit.